On Tue, Aug 05, 2008 at 06:12:34PM -0400, Press, Jonathan wrote:
This is actually quite shocking to me. You don't know how to define
the threat model? And you call yourself in the security business?
Read some books or essays by Bruce Schneier. A good one might be his
recent book, "Beyond Fear: Thinking Sensibly About Security In An
Uncertain World".
The naive refusal to think about threat models is why we have to
submit to really insane, useless, "security theater" every time we get
on an Airplane and have to take off our shoes and throw our bottleed
water into a huge heap in front of the security line. (If they really
thought the water bottles could contain explosives, why leave them in
a huge pile in front of the TSA employees. :-)
If the goal is to get make we are proof against malware, we need to be
very clear about the whys and wherefores about how the file might have
gotten there. And if you are going to be serving that file a million
times a day, does it really make sense to block the open a million
times a day, or do you make sure that you notice when it gets
corrupted in the first place?
And security is not an absolute. Just as the terrorists win if it can
induce the White House to shred the constitution and force us all to
live in a constant state of fear, it is also pointless to induce
people to install software that horrifically slows down their server
so badly that you can't get anything done.
If people in the AV industry don't know how to think about threat
models, it says a lot about their competence as security engineers.
And I say this as someone who was team lead of Kerberos at MIT, and
was the chair of the IP Security working group at the IETF (the
standards body for the Internet), and who has served on the Security
Area Directorate (alongside Bruce Schneier) at the IETF.
- Ted
--
